We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Most employers maintain records with sensitive information relating to their employees, such as social security numbers or similar information. When a data breach occurs and this information is disclosed without authorization, employers may have legal obligations to notify employees affected by the breach.

For example, Minnesota law has a data breach notification requirement that would require an employer to notify employees “in the most expedient time possible and without unreasonable delay” of a suspected data breach. The law provides that:

Any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, . . . or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system.

SeeMinn. Stat. § 325E.61. For purposes of the statute, “personal information” is defined to include unencrypted data including an individual’s first name or first initial and last name in combination with any of the following: (i) a social security number; (ii) a driver’s license number or Minnesota identification card number; or (iii) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

For a mass data breach affecting 500 or more individuals at a time, the employer would also need to provide notification within 48 hours to “all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis . . . of the timing, distribution, and content of the notices.”

Takeaway: When a data breach affecting employee data occurs, an employer may need to comply quickly with notification obligations under applicable state law. In the event of a data breach, it is important for employers to check the notification requirements for each state where affected employees are located.

Compare jurisdictions:Employment: International

“I find the articles on the Lexology newsfeed very relevant and up to date on a variety of topics of interest to my areas of practice. The authors are reliable and current on the topics about which they opine. Even when several law firms write on the same topic, I can often glean new viewpoints and perspectives from the different firms. The headings are also helpful because they briefly and accurately describe the topic and enable me to quickly and efficiently decide what I may or may not want to read in more detail."